Update network.tf

Made it stateless, more secure by default
AdmiraalA · Feb 21, 2024 · 6592436 · 6592436
1 parent b7deb74
commit 6592436
Showing 1 changed file with 128 additions and 40 deletions.
diff --git a/network.tf b/network.tf
@@ -1,63 +1,151 @@
-resource "oci_core_vcn" "default_oci_core_vcn" {
-  cidr_block     = var.oci_core_vcn_cidr
-  compartment_ocid = var.compartment_ocid
-  display_name   = "Default OCI core vcn"
-  dns_label      = var.oci_core_vcn_dns_label
+resource "oci_core_network_security_group" "public_lb_nsg" {
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.default_oci_core_vcn.id
+  display_name   = "K3s public LB nsg"
+
   freeform_tags = {
     "provisioner"           = "terraform"
-    "environment"           = "${var.environment}"
-    "${var.unique_tag_key}" = "${var.unique_tag_value}"
+    "environment"           = var.environment
+    "${var.unique_tag_key}" = var.unique_tag_value
   }
 }
 
-resource "oci_core_subnet" "default_oci_core_subnet10" {
-  cidr_block        = var.oci_core_subnet_cidr10
-  compartment_id    = var.compartment_ocid
-  display_name      = "${var.oci_core_subnet_cidr10} (default) OCI core subnet"
-  dns_label         = var.oci_core_subnet_dns_label10
-  route_table_id    = oci_core_vcn.default_oci_core_vcn.default_route_table_id
-  vcn_id            = oci_core_vcn.default_oci_core_vcn.id
-  security_list_ids = [oci_core_default_security_list.default_security_list.id]
-  freeform_tags = {
-    "provisioner"           = "terraform"
-    "environment"           = "${var.environment}"
-    "${var.unique_tag_key}" = "${var.unique_tag_value}"
+resource "oci_core_network_security_group_security_rule" "allow_http_from_all" {
+  network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
+  direction                 = "INGRESS"
+  protocol                  = 6 # tcp
+
+  description = "Allow HTTP from all"
+
+  source      = "0.0.0.0/0"
+  source_type = "CIDR_BLOCK"
+  stateless   = true
+
+  tcp_options {
+    destination_port_range {
+      max = var.http_lb_port
+      min = var.http_lb_port
+    }
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "allow_https_from_all" {
+  network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
+  direction                 = "INGRESS"
+  protocol                  = 6 # tcp
+
+  description = "Allow HTTPS from all"
+
+  source      = "0.0.0.0/0"
+  source_type = "CIDR_BLOCK"
+  stateless   = true
+
+  tcp_options {
+    destination_port_range {
+      max = var.https_lb_port
+      min = var.https_lb_port
+    }
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "allow_kubeapi_from_all" {
+  count                     = var.expose_kubeapi ? 1 : 0
+  network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
+  direction                 = "INGRESS"
+  protocol                  = 6 # tcp
+
+  description = "Allow kubeapi access from my_public_ip_cidr"
+
+  source      = var.my_public_ip_cidr[0]  # Selecting the first element from the list
+  source_type = "CIDR_BLOCK"
+  stateless   = true
+
+  tcp_options {
+    destination_port_range {
+      max = var.kube_api_port
+      min = var.kube_api_port
+    }
   }
 }
 
-resource "oci_core_subnet" "oci_core_subnet11" {
-  cidr_block        = var.oci_core_subnet_cidr11
-  compartment_id    = var.compartment_ocid
-  display_name      = "${var.oci_core_subnet_cidr11} OCI core subnet"
-  dns_label         = var.oci_core_subnet_dns_label11
-  route_table_id    = oci_core_vcn.default_oci_core_vcn.default_route_table_id
-  vcn_id            = oci_core_vcn.default_oci_core_vcn.id
-  security_list_ids = [oci_core_default_security_list.default_security_list.id]
+resource "oci_core_network_security_group" "lb_to_instances_http" {
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.default_oci_core_vcn.id
+  display_name   = "Public LB to K3s workers Compute Instances NSG"
+
   freeform_tags = {
     "provisioner"           = "terraform"
-    "environment"           = "${var.environment}"
-    "${var.unique_tag_key}" = "${var.unique_tag_value}"
+    "environment"           = var.environment
+    "${var.unique_tag_key}" = var.unique_tag_value
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "nsg_to_instances_http" {
+  network_security_group_id = oci_core_network_security_group.lb_to_instances_http.id
+  direction                 = "INGRESS"
+  protocol                  = 6 # tcp
+
+  description = "Allow HTTP from all"
+
+  source      = oci_core_network_security_group.public_lb_nsg.id
+  source_type = "NETWORK_SECURITY_GROUP"
+  stateless   = true
+
+  tcp_options {
+    destination_port_range {
+      max = var.http_lb_port
+      min = var.http_lb_port
+    }
   }
 }
 
+resource "oci_core_network_security_group_security_rule" "nsg_to_instances_https" {
+  network_security_group_id = oci_core_network_security_group.lb_to_instances_http.id
+  direction                 = "INGRESS"
+  protocol                  = 6 # tcp
 
-resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" {
+  description = "Allow HTTPS from all"
+
+  source      = oci_core_network_security_group.public_lb_nsg.id
+  source_type = "NETWORK_SECURITY_GROUP"
+  stateless   = true
+
+  tcp_options {
+    destination_port_range {
+      max = var.https_lb_port
+      min = var.https_lb_port
+    }
+  }
+}
+
+resource "oci_core_network_security_group" "lb_to_instances_kubeapi" {
   compartment_id = var.compartment_ocid
-  display_name   = "Internet Gateway Default OCI core vcn"
-  enabled        = "true"
   vcn_id         = oci_core_vcn.default_oci_core_vcn.id
+  display_name   = "Public LB to K3s master Compute Instances NSG (kubeapi)"
+
   freeform_tags = {
     "provisioner"           = "terraform"
-    "environment"           = "${var.environment}"
-    "${var.unique_tag_key}" = "${var.unique_tag_value}"
+    "environment"           = var.environment
+    "${var.unique_tag_key}" = var.unique_tag_value
   }
 }
 
-resource "oci_core_default_route_table" "default_oci_core_default_route_table" {
-  route_rules {
-    destination       = "0.0.0.0/0"
-    destination_type  = "CIDR_BLOCK"
-    network_entity_id = oci_core_internet_gateway.default_oci_core_internet_gateway.id
+resource "oci_core_network_security_group_security_rule" "nsg_to_instances_kubeapi" {
+  count                     = var.expose_kubeapi ? 1 : 0
+  network_security_group_id = oci_core_network_security_group.lb_to_instances_kubeapi.id
+  direction                 = "INGRESS"
+  protocol                  = 6 # tcp
+
+  description = "Allow kubeapi access from my_public_ip_cidr"
+
+  source      = oci_core_network_security_group.public_lb_nsg.id
+  source_type = "NETWORK_SECURITY_GROUP"
+  stateless   = true
+
+  tcp_options {
+    destination_port_range {
+      max = var.kube_api_port
+      min = var.kube_api_port
+    }
   }
-  manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id
 }